Free resources for secure web browsing (in insecure locations)
If you travel often, this scenario pops up often:
You get free access to the internet at a hotel or coffee shop, but worry about people sniffing the connection.
Even when you use SSL, it is a pain that people can do a traffic analysis on your surfing, attempt a session hijack based on your credentials, or even worse, act as a man-in-the-middle and log every bit of your surfing. Many corporate entities require the use of a VPN to tunnel all internet traffic through the headquarters network connection, so they can filter traffic the way they want to and do their best to protect your system from malware and probing.
If you are trying to be secure on a budget, one solution that I've worked with requires three packages.
- Privoxy - http://www.privoxy.org/
- Foxyproxy - http://foxyproxy.mozdev.org/
- Putty - http://www.putty.org/ (or your favorite SSH client)
Using this scenario, you install Privoxy, which works as a personal web proxy, on a *nix or Windows on a machine that resides at your home or office. That same machine will also need to be running a ssh server. Depending on your network architecture, you'll either need a firewall rule to allow port 22 (ssh) through to that machine, or if you have a NAT in place, you'll need a PAT or pinhole to that system through the firewall. (If you choose to use a port other than 22, you will receive far less port scans and hacking attempts on your system.)
When configuring Privoxy, you'll want to select 127.0.0.1 and some high port such as 8000 or 8888 to connect to Privoxy through. In the version I have, they use the default of port 8118. The reason that you would use the 127.0.0.1 loopback address, is that it will only accept traffic from inside the machine. If you have the SSH server on another machine, you'll want to use the address of one of the ethernet adapters. On many Linux installations, you'll be editing /etc/privoxy/config
# a snippet from /etc/privoxy/config
# listen-address 192.168.0.1:8118
At this point you should have the firewall configured, a ssh server running, and Privoxy up and running.
The next step is to connect to your ssh/privoxy machine over the internet. In this example we'll use putty under win32, but you could be on OS X or Linux and use ssh at the command line to do tunneling.
Once you have that ssh connection up and running, you'll need to connect your web browser to the proxy server. On your side you'll be using your own ip loopback adapter at 127.0.0.1. Normally you would NOT want to check the box that states Local Ports accept connections from other hosts, unless you are trying to provide proxy services to a large amount of machines through one ssh connection.
You can manually setup a proxy server in Firefox or IE, but I prefer to use Foxyproxy, which allows you to change settings on the fly, or also do proxying based on specific traffic rules. So if you want to visit www.cnn.com without going through the proxy, but only go to www.gmail.com through the proxy, you can do that. If you have limited upstream bandwidth on your privoxy host, this may be a good solution.
Configuration of Foxyproxy is fairly simple. Once the add-on is installed, you'll want to create a new proxy entry. That entry will point towards 127.0.0.1 port 8888 (or whatever port you have chosen). Once it is saved, you can turn the proxying on and off by using the right mouse button on the menu on the lower right hand side of Firefox. You can create some fairly complex patterns for web surfing, but that is beyond the scope of this posting.
So, what do we get from this? If someone is sniffing your home connection, you are out of luck. But if you configure the connection as I have stated, every web site you surf to, will be tunneled through your ssh connection, then proxyed by the privoxy machine. If you have other applications that run outside of your browser, you may have to reconfigure them to point to the localhost proxy on your machine so that they will be secure as well. So, someone sniffing your connection will just see ssh traffic from your machine to that host and nothing else. Even if someone is running a rogue WiFi AP so they can perform and man-in-the-middle attack, all they will get is a bunch of garbage from your ssh connection.